Now, Firestarter still complaints about blocked TCP and ICMP connections to my internal IP (192.168.0.*), on different ports. There are no UDP complaints, but only because router blocks them all. Formerly, with inbound (but not outbound) UDP-s blocked I was also getting tons of blocked UDP connections (especially with Skype launched).

I don't get how it is possible that Firestarter complaints about blocked TCP connections. My understanding is that behind the router I'm not reachable from the outside world (due to NAT translation), and router passes only those inbound packets that match outbound packets. Now, iptables should work in the same way - it should accept inbound response packets matching former outbound ones. So, if TCP packet manages to get from my computer to the outside server, then the response should never be blocked.

Also, I don't understand how ICMP packets might get thru the router and crash on my iptables - they all should be be blocked in the router (note, however that all ICMPs that arrive at my iptables are on port 80, maybe this is a clue)

Could someone point me in the right direction either about how to fix those problems (if there are any, maybe I'm uninformed).

1 Answer
1

ICMP is necessary for proper IP operations don't block them, although you can block ICMP echo requests. There is no ICMP port 80, but you are likely getting unreachable messages for various websites on port 80. ICMP messages will not crash your iptables.

You should have ntp running and that will require port 123 open on UDP. DNS on port 53 should also be open on UDP and TCP.

If you are running Skype you should allow outgoing UDP and TCP on the ephemeral ports (32768 to 61000) on Ubuntu, as well as a few other. You will also need to allow UPD and TCP incomming on the port that Skype is using. See my post on Firewalling Skype.

You should expect some traffic on various ports from hosts inside your firewall. You will also receive packets from the Internet if you are on the IP address designtated as the DMZ on your router/firewall. The router firewall should also forward packets on related ports for protocols such as FTP.

This doesn't quite answer my question, but thanks anyway. The major part of what I'm asking about is how it could be that Firestarter complains about connections that should be dropped by my router.
–
Tomasz ZielińskiOct 1 '10 at 18:19

If your IP address is assigned to the DMZ the router is unlikely to block anything.
–
BillThorOct 2 '10 at 1:20

Depending on the router and its configuration you may see traffic from it. If the source and destination addresses are the same for the first three octets then they don't come from the Internet.
–
BillThorOct 2 '10 at 1:27

DMZ is disabled. So you say that the router itself can cause some traffic? Is there any reason why e.g. Skype causes such connections to occur much more frequently comparing to when Skype is off?
–
Tomasz ZielińskiOct 7 '10 at 12:43

Various services such as windows shares, routing protocols, and others use periodic broadcasts to announce their presense and discover other computers. If any of these are running on your router you are likely to see traffic originating from the router. If you use DHCP your computer will periodically initiate an exchange with the router. Skype is very verbose. See my post at systemajik.com/blog/firewalling-google-chat-and-skype
–
BillThorOct 7 '10 at 15:40